This topic tells administrators how to configure IM to receive hash values from SA Core. Values are hashed to mask sensitive data in meta keys such as hostnames, usernames, and IP addresses.

The Data Privacy Officer (DPO) role can identify meta keys that contain sensitive data and should display obfuscated data. This topic explains how the administrator maps those meta keys to display a hashed value instead of the actual value.

When a meta key is configured to display a hashed value, all security roles see only the hashed value in the Incidents module.

You use hashed values the same way you use actual values. For example, when you use a hashed value in rule criteria the results are the same as if you used the actual value.

This topic explains how to obfuscate private data in Incident Management. Refer to Data Privacy Management Overview for additional information about data privacy.

Mapping File to Obfuscate Meta Keys

In the Incidents module, the mapping file for data obfuscation is data_privacy_map.js. In it you type an obfuscated meta key name and map it to the actual meta key name.

The following example shows the mappings to obfuscate data for two meta keys, ip.src and user.dst:

'ip.src.hash' : 'ip.src', 'user.dst.hash' : 'user.dst'

You determine the naming convention for obfuscated meta key names. For example, ip.src.hash could be ip.src.private or ip.src.bin. You must choose one naming convention and use it consistently on all hosts.

Prerequisites

DPO role must specify which meta keys require data obfuscation.

Administrator role must map meta keys for data obfuscation.

Procedure

In the obfuscated_attribute_map variable , type the name of a meta key to hold obfuscated data. Then map it to the meta key that does not contain obfuscated data according to this format:'ip.src.hash' : 'ip.src'

Repeat step 2 for every meta key that should display a hashed value.

Use the same naming convention as in step 2 and use it consistently on all hosts.

Save the file. All mapped meta keys will display hashed values instead of actual values. In the following graphic, hashed values display for the IP address and user:

New alerts will display obfuscated data.

Note: Existing alerts still display sensitive data. This procedure is not retroactive.